IT Risk Profiling

These features model the relationship between IT assets and business interests to identify IT-borne business risk.

Key Product Features

• IT Asset Catalog with Comprehensive Resource Types IT Asset repository includes all resource types, including applications, databases, servers, networks, data centers, people, and processes.
• Business Interest Mapping create a catalog of key information and processes unique to your business that need to be protected from IT risk. Business Interests are mapped to Subjects (assets) to provide a business risk context for IT resources.
• Business Impact Analysis through Stakeholder Surveys use stakeholder surveys to determine the business impact of a risk scenario that compromises the Confidentiality, Integrity, or Availability of a Business Interest.
• Risk Profile Surveys Use automated surveys to allow system owners to set risk profile attributes for Subjects.
• Reasonably Anticipated Risks Automatically enumerate all of the reasonably anticipated risks that should be mitigated for each Subject.
• Dynamic Groups Define Subject groups with attribute-based criteria. Membership in a group is determined dynamically based on whether a Subject’s risk profile matches the group’s criteria.
• Patent-Pending Risk Intelligence Engine
Analyzes each Subject’s risk profile to automatically identify: Risks the subject is exposed to required compliance mandates controls that must be implemented to satisfy both compliance and mitigate risk

Benefits

• Ensure Comprehensive Visibility of IT Risk Exposure
  Provides visibility into all areas of potential IT risk exposure including IT assets, people and processes.
• Correlate IT Risk to Business Impact
  Ensures risk-based analysis of your IT posture.
• Automate Survey Workflow
  Provides an automated effective means for identifying, capturing and incorporating business stakeholder input into the risk analysis process.
• Automate Previously Manual Tasks
  Provides an efficient manner for obtaining system owner input into the risk analysis process.
• Effective Communication of IT Risks to Business Audience
  Natural language IT risk statements enable the security team to clearly communicate IT risks to non-technical audiences.
• Improve Visibility into IT Environment
  Provides flexibility and efficiency in metrics and reporting.
• Optimize IT Resources
  Automatic risk profile analysis saves time over manual risk analysis practices. The intelligence-based approach eliminates the need for highly-skilled security experts to spend time performing manual risk analysis.

IT Controls Framework

Harmonizes control requirements for compliance mandates and risk mitigation.

Key Product Features

• Controls Framework
 - Controls Framework includes technical, procedural, and physical controls.
• Unified Compliance Framework(UCF)
 - Network Frontiers’ industry-vetted, harmonized mapping of unique controls to compliance regulations is developed and maintained in collaboration with industry experts, legal advisors, and standards-setting bodies across global regulations.
• Control Harmonization
 - Common controls (e.g. “Strong Passwords”) are normalized into a single control, which is cross-referenced to all standards and regulations that call for the requirement.
• Compliance Library
 - Over 400 Regulations and Standards documents are included with full cross-references to supporting IT controls.
• Internal Compliance and Security Policy / Control Mapping
 - Import internal compliance and security policies and cross-reference them to the harmonized controls framework.
• Controls Linked to Risk Mitigation
 - Controls are automatically linked to the risk scenarios they help prevent, detect, or corre

Benefits

• Comprehensive Controls
 - Ensures comprehensive coverage and definition of all control activities needed to ensure compliance and mitigate IT risk.
• Support Multiple Compliance Mandates - 
Automatically harmonizes IT control frameworks with industry regulation requirements to ensure that controls are reasonable and sufficient to satisfy multiple compliance mandates
• Assess Once, Comply with Many
 - Eliminates overlapping control requirements that result from multiple standards and regulatory requirements.
• Optimize Compliance Workflows
 - Immediately understand the controls required to implement on Subjects and avoid time spent performing custom cross-walks across multiple requirements documents.
• Prove Compliance with Internal Policies
 - Demonstrates compliance with internal policies through a common assessment process.
• Quickly Mitigate IT Risk
 - Demonstrates how IT controls can mitigate actual business IT risk.

IT Controls Assessment

Automated assessment of technical, physical and procedural controls.

Key Product Features

• Workflow for Assessing Physical and Procedural Controls
 - Automated risk assessment workflow provides structure around the process of collecting scores and evidence for physical and procedural controls.
• Automated Self-Assessment Surveys
 - Send multiple-choice question surveys to system owners to receive up-to-date control implementation status. Once approved, survey responses automatically update scores.
• Survey Delegation
 - Survey recipients can delegate surveys to other team members as needed.
• Control Score Aging
 - Configurable timers track the age of every control score to determine when controls need to be re-assessed.
• Interfaces to Security Point Products
 - Built-in connectors to Lumension security solutions and other third party vulnerability scanning tools collect operational security data to automatically update control scores.
• Attachments for Evidence Collection
 - Attachments on control scores provide evidence of the asserted score. Attachments can be files or URLs (for example, a URL to an internal document repository containing policies).
• Accountability for IT Risk Scores
 - Every score record contains the UserID corresponding to who made the change.
• Control Scoring History
 - All historical control scores are automatically archived.
• Custom Control Score Status Indicator
 - Score items within the assessment workflow can be flagged to indicate status.
• Auditor Self-Service Scoring Panel
 - The direct score entry panel is optimized for rapid scoring and data entry of assessment test results.
• Approval-Based Workflow
 - Scores entered from self-assessment surveys and the auditor self-service panel can be reviewed and approved prior to committing them to the permanent scoring record.

Benefits

• Streamline IT Risk Management Workflow
 - Saves time by organizing the data collection efforts associated with scoring physical and procedural controls into a single view.
• Automate Previously Manual Tasks
 - Saves time over in-person interviews and manual data collection methods.
• Ensure Effective Survey Workflow
 - Ensures that survey questions are routed to the appropriate person to answer the question without extensive up-front org-chart discovery by the security team.
• Ensure Current Assessment Information
 - Automatically detects when score information has expired and needs to be updated to keep compliance and risk metrics up-to-date.
• Automate Vulnerability and Configuration Assessment - 
Saves time by eliminating the need to manually parse through technical security reports to update high-level risk and compliance control scores.
• Simplified Management
 - Provides a convenient way to manage the myriad evidence artifacts required to demonstrate the validity of self-assessment scores.
• Ensure Audit Accountability
 - Provides accountability for score information.
• Proof of Compliance
 - Ensures that historical scoring information is available when needed.
• Rapid Evaluation of Control Scores
 - Flagging score status allows for quick triage of scores that require follow-up.
• Optimize Audit Results Documentation
 - Allows auditors and security analysts to quickly document the results of their security testing activities.
• Ensure Accuracy of Scoring Information
 - Provides an opportunity for internal quality assurance on scoring information, and ensures that incorrect survey responses don’t affect trend data or scoring history.

Risk and Compliance Reporting

Generate reports and metrics to satisfy a diverse risk and compliance audience.

Key Product Features

• Compliance Reporting
 - Compliance reports demonstrate section-by-section status of your compliance with industry regulations, compliance mandates, and your own security policy
• IT Risk Reporting
 - IT Risk reports catalog security gaps and how they could affect key business interests.
• Operational Security Reporting
 - Operational security reports provide detailed security gap information for departments within IT operations.
• Deliver Metrics for Rapid Security Enforcement - 
Communicate security gaps to IT operations teams and set specific expectations on remediation.
• Trending Analysis
 - Metrics on compliance, IT risk, and operational security are trended on a daily basis.
• Key Performance Indicators
 - Track the aggregate score for a user defined subset of controls and subjects against a target value.
• Customizable Dashboard Views - 
Combine existing dashboard widgets into a personalized custom view.
• Consolidated Findings Analysis
 - Employ the heuristics engine to effectively analyze control scores to discover patterns, such as a certain group of subjects that contribute disproportionately to a poor compliance score, or a certain type of control that fails across a broad array of subjects.
• Remediation Modeling and Forecasting
 - Create "what-if" project scenarios to optimize IT resources to see how that project or remediation will improve your risk and compliance metrics.

Benefits

• Deliver Comprehensive Reports
 - Provide detailed reports to satisfy internal and external auditors.
• Measure IT Risk to Business Impact
 - Communicate security gaps in a way that is easily understood by non-technical business stakeholders.
• Deliver Metrics for Rapid Security Enforcement
 - Communicate security gaps to IT operations teams and set specific expectations on remediation.
• Improve Internal Communication Regarding IT Risk and Compliance
 - Provide simple metrics that communicate your overall security, risk, and compliance posture.
• Quickly Determine Trends
 - Demonstrate trends of security, risk, and compliance program improvement over time.
• Focus on Metrics Vital to Your Business
 - Keep a watchful eye on specific areas of interest with a simplified report-card view of your security posture.
• Highlight Metrics that You Need to See - 
Allows individual users to easily view the key metrics that are important to them.
• Ensure Rapid Remediation for High Priorities
 - Quickly spot patterns in scoring information that allow you to identify high-value remediation efforts.
• Improve Operational Efficiencies
 - Prioritize IT resources and remediation efforts based on the impact to metrics, and compare remediation projects by cost and time estimates across all controls.